POLICY STATEMENT FOR THE PROCESSING OF PERSONAL DATA
pursuant to Article 13 of Lgs. Decree 196/2003 and article 13 of EU Regulation 2016/679 concerning the protection of individuals with regard to the processing of personal data (hereinafter referred to as “Regulation” or “EU REG”)
The purpose of LONGO SPA is to contribute to the achievement of the overall strategic aims of the entity/company/organization; pursuant to Article 13 of Lgs. Decree 196/2003 and Article 13 of European Regulation 679/2016, LONGO SPA, provides you with the following information concerning the processing of your personal data.
- Purpose of personal data processing and legal basis for same
The collection and processing of your personal data serve the following purposes:
a) to implement the aims of LONGO SPA, as provided in its statutory norms and regulations for the purpose of providing the services of the charter of the entity/company/organisation.
b) in these cases, the legal basis for processing consists of the performance of contractual obligations by LONGO SPA;
c) to fulfill the obligations required by laws, regulations and European Community legislation, or provisions issued by public authorities empowered to do this by law, and by the supervisory and control bodies to which LONGO SPA is answerable. In these cases, the legal basis for processing consists of compliance with the legal obligations, pursuant to Art. 6.1, lett. c) of the GDPR);
d) subsequent to your explicit consent and for additional purposes for the provision of statutory and regulatory services, such as, to use “News Alert” services via email or sms, to receive information newsletters on the activities of LONGO SPA or promotional brochures, to measure the quality of services, or for statistical surveys. In these cases, the legal basis for processing consists of explicit consent, pursuant to Art. 6.1, lett. a) of the EU REG);
- Nature of data provision and the consequences of refusal
Refusal to provide personal data or failure to consent to the processing of same will make it impossible for LONGO SPA to settle the services required or to achieve the purposes as stated in point 1 under letters a) and b) of this policy statement.
Provision of data for the purposes stated in point 1, letter c) of this policy statement is optional and the data subject is therefore free to give or refuse consent to same. The data subject is free to revoke any consent given at any time.
- Data processing methods
Your personal data is processed based on the principles of correctness, lawfulness and transparency in order to protect your confidentiality and rights, as well as those of your family members, compliant with Article 5 of the EU REG. Processing can be carried out manually, using hard copy documents, or with the support of electronic or in any case, automated means;
Data are collected and processed at the headquarters of LONGO SPA in the relevant document archives/servers.
Your personal data are processed using suitable technical and organisational security measures, pursuant to Art. 32 of the EU REG, so as to guarantee security levels in line with risks and reducing to a minimum the risks of loss or destruction, unauthorized access, or of processing that does not comply with the purposes of collection.
Your personal data will not be subject to automated decision-making processes or to profiling.
- Special categories of personal data (“sensitive data”)
Pursuant to Art. 9 section 1 of the EU REG, “sensitive data” are “personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, biometric and genetic data for the unequivocal identification of an individual, and data concerning health, sex life or sexual orientation of a person”.
To achieves its statutory and regulatory aims and specifically, to provide integrative healthcare services to National Health Authorities, LONGO SPA may process your sensitive data, such as data concerning your health and that of your family members, as well as your membership of any trade unions.
Your sensitive data will be processed with all guarantees in place and compliant with the limits set by the EU REG. Specifically, processing will only concern data strictly pertinent to the abovementioned obligations, tasks or purposes that cannot be performed or fulfilled by processing anonymous data or personal data of a different nature.
Sensitive data may be processed if the data subject has given explicit consent, pursuant to Art. 9 section 2, letter d) of the EU REG, even without the consent of the data subject, when the processing is performed as part of the lawful activities of and with suitable guarantees from an association or other non-profit organisation pursuing trade-union aims, provided that this processing exclusively concerns members, ex-members, or persons with regular contact with the association or body by reason of its purposes and that said personal data are not communicated outside without prior consent of the data subject;
Pursuant to Art. 9 section 2, letter h) of the EU REG, moreover, sensitive data can be processed without consent where said processing is necessary, inter alia, for the management of healthcare or social systems based on Italian or European Union law.
- Data communication
Your personal data will not be disseminated.
To achieve the aims as stated in point 1) of this policy statement, LONGO SPA may need to communicate your personal data to trusted external subjects and notably, to:
a) professional bodies, including their territorial branches, as well as to companies belonging to the group and limited, where necessary, to the performance of the establishment’s tasks and services;
b) credit institutions for banking services and payments, to companies managing computerised postal services, archive and storage companies, other suppliers of additional outsourced services;
c) healthcare facilities and specialist medical professionals with whom formal relations are in being;
d) medical consultants, healthcare staff and legal consultants of LONGO SPA;
e) insurance or reinsurance companies or directly to third parties responsible in case of enforcement of the compensation actions by the Treasury.
The aforementioned subjects, according to each case, will process data in their capacity as autonomous data controllers or “data processors”, i.e. parties duly appointed according to contractual agreements drawn up in compliance with the provisions of article 28 of the EU REG.
Your personal data will not be transferred to third-party non-EU nations or to international organisations. Occasionally, at the explicit request of the data subject (for example, members residing outside Italy), and in compliance with the provisions in the EU REG., personal data may be transferred outside Italy to pay for services in foreign banks.
- Retention period
Your personal data will be retained for the entire duration of the contractual obligation and even after said obligation ceases to be, for the time necessary to meet all of the applicable legal obligations (e.g., fiscal) and/or administrative processes connected to or arising from the encumbrance.
- Identification and contact details for Data Controller and Data Protection Officer
The Data Controller is – LONGO SPA, with registered headquarters in 39100 Bolzano, via Kravogl 7.
For the purposes of exercising your rights as data subject, as listed below, the Data Controller can be contacted by email at firstname.lastname@example.org or by telephone (secretary’s/PR office) at +39 0471 243 111, fax +39 0471 243 100, or using the certified email address email@example.com.
An updated list of data processors is available, on request, at the operational headquarters of LONGO SPA, in 39100 Bolzano, via Kravogl 7.
The Data Protection Officer to contact in case of exercising the rights as provided for in the EU REG. as listed in point 8 below, can be contacted at the following: Dr. Alton Norbert, Via Kravogl 7, 39100 Bolzano, Fax: +39 0471 243 100, Certified email: firstname.lastname@example.org, email: email@example.com, Tel. +39 0471 243111.
- Data subject’s rights
At any time, where you can exercise these rights, pursuant to Art 7 of Lgs. Decree 196/2003 and the articles 15 through to 22 of the Regulation, you have the right to:
a) seek confirmation of the existence or otherwise of their personal data;
b) know the purpose of their processing, the category of personal data, the intended recipients or categories of recipients to which personal data have been or will be communicated, and when possible, the retention period;
c) obtain the correction and cancellation of data;
d) obtain limitations to processing;
e) (where applicable) obtain data portability, i.e., to receive their data from the data controller, in a structured format, commonly used and readable by an automatic device, and to transmit them to another data controller without impediment;
f) oppose processing at any time, even in the case of processing for direct marketing purposes;
g) oppose any automated decision-making process regarding individuals, including profiling.
h) ask the data controller for access to personal data and the correction or deletion of same, or limits to processing data concerning you, as well for the right to the portability of your data;
i) refuse consent at any time without affecting the lawful nature of processing based on consent given before withdrawal of same.
j) submit a complaint to the Authority for the protection of personal data, headquartered in Rome, Piazza di Monte Citorio no. 121, official Authority website www.garanteprivacy.it
The use of these rights is not subject to any constraint and it is free of charge.